2 * Code copied from openssl distribution and
3 * Modified just enough so that compiles and runs standalone
5 * Copyright (C) 2010, Broadcom Corporation. All Rights Reserved.
7 * Permission to use, copy, modify, and/or distribute this software for any
8 * purpose with or without fee is hereby granted, provided that the above
9 * copyright notice and this permission notice appear in all copies.
11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
14 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
16 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
17 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 * $Id: hmac_sha256.c,v 1.5.218.2 2010-06-08 01:29:21 Exp $
21 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
22 * All rights reserved.
24 * This package is an SSL implementation written
25 * by Eric Young (eay@cryptsoft.com).
26 * The implementation was written so as to conform with Netscapes SSL.
28 * This library is free for commercial and non-commercial use as long as
29 * the following conditions are aheared to. The following conditions
30 * apply to all code found in this distribution, be it the RC4, RSA,
31 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
32 * included with this distribution is covered by the same copyright terms
33 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
35 * Copyright remains Eric Young's, and as such any Copyright notices in
36 * the code are not to be removed.
37 * If this package is used in a product, Eric Young should be given attribution
38 * as the author of the parts of the library used.
39 * This can be in the form of a textual message at program startup or
40 * in documentation (online or textual) provided with the package.
42 * Redistribution and use in source and binary forms, with or without
43 * modification, are permitted provided that the following conditions
45 * 1. Redistributions of source code must retain the copyright
46 * notice, this list of conditions and the following disclaimer.
47 * 2. Redistributions in binary form must reproduce the above copyright
48 * notice, this list of conditions and the following disclaimer in the
49 * documentation and/or other materials provided with the distribution.
50 * 3. All advertising materials mentioning features or use of this software
51 * must display the following acknowledgement:
52 * "This product includes cryptographic software written by
53 * Eric Young (eay@cryptsoft.com)"
54 * The word 'cryptographic' can be left out if the rouines from the library
55 * being used are not cryptographic related :-).
56 * 4. If you include any Windows specific code (or a derivative thereof) from
57 * the apps directory (application code) you must include an acknowledgement:
58 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
60 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
61 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
62 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
63 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
64 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
65 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
66 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
67 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
68 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
69 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
72 * The licence and distribution terms for any publically available version or
73 * derivative of this code cannot be changed. i.e. this code cannot simply be
74 * copied and put under another distribution licence
75 * [including the GNU Public Licence.]
81 #include <stddef.h> /* for size_t */
83 extern void bcopy(const void *src
, void *dst
, size_t len
);
84 extern int bcmp(const void *b1
, const void *b2
, size_t len
);
85 extern void bzero(void *b
, size_t len
);
87 #define bcopy(src, dst, len) memcpy((dst), (src), (len))
88 #define bcmp(b1, b2, len) memcmp((b1), (b2), (len))
89 #define bzero(b, len) memset((b), 0, (len))
90 #endif /* defined(__GNUC__) */
95 #endif /* BCMDRIVER */
97 #include "bcmcrypto/sha256.h"
98 #include "bcmcrypto/hmac_sha256.h"
100 #include "bcmutils.h"
103 hmac_sha256(const void *key
, int key_len
,
104 const unsigned char *text
, size_t text_len
, unsigned char *digest
,
105 unsigned int *digest_len
)
111 unsigned char sha_key
[SHA256_CBLOCK
];
112 unsigned char k_ipad
[SHA256_CBLOCK
]; /* inner padding -
115 unsigned char k_opad
[SHA256_CBLOCK
]; /* outer padding -
119 /* block size smaller than key size : hash down */
120 if (SHA256_CBLOCK
< key_len
)
123 SHA256_Update(&ctx
, key
, key_len
);
124 SHA256_Final(sha_key
, &ctx
);
126 key_len
= SHA256_DIGEST_LENGTH
;
130 * the HMAC_SHA256 transform looks like:
132 * SHA256(K XOR opad, SHA256(K XOR ipad, text))
134 * where K is an n byte key
135 * ipad is the byte 0x36 repeated 64 times
136 * opad is the byte 0x5c repeated 64 times
137 * and text is the data being protected
139 /* compute inner and outer pads from key */
140 bzero(k_ipad
, sizeof(k_ipad
));
141 bzero(k_opad
, sizeof(k_opad
));
142 bcopy(key
, k_ipad
, key_len
);
143 bcopy(key
, k_opad
, key_len
);
145 /* XOR key with ipad and opad values */
146 for (i
= 0; i
< 64; i
++) {
153 * perform inner SHA256
155 SHA256_Init(&ctx
); /* init context for 1st pass */
156 SHA256_Update(&ctx
, k_ipad
, SHA256_CBLOCK
); /* start with inner pad */
157 SHA256_Update(&ctx
, text
, text_len
); /* then text of datagram */
158 SHA256_Final(digest
, &ctx
); /* finish up 1st pass */
160 * perform outer SHA256
162 SHA256_Init(&ctx
); /* init context for 2nd pass */
163 SHA256_Update(&ctx
, k_opad
, SHA256_CBLOCK
); /* start with outer pad */
164 SHA256_Update(&ctx
, digest
, SHA256_DIGEST_LENGTH
); /* then results of 1st hash */
165 SHA256_Final(digest
, &ctx
); /* finish up 2nd pass */
168 *digest_len
= SHA256_DIGEST_LENGTH
;
171 void hmac_sha256_n(const void *key
, int key_len
,
172 const unsigned char *text
, size_t text_len
, unsigned char *digest
,
173 unsigned int digest_len
)
176 uchar digest_tmp
[SHA256_DIGEST_LENGTH
];
179 uint16 digest_bitlen
= (digest_len
*8);
184 bcopy(text
, &data
[data_len
], text_len
);
185 data_len
+= text_len
;
186 bcopy((uchar
*)&digest_bitlen
, &data
[data_len
], sizeof(uint16
));
187 data_len
+= sizeof(uint16
);
188 for (i
= 0; i
< (digest_len
+ SHA256_DIGEST_LENGTH
- 1) / SHA256_DIGEST_LENGTH
; i
++) {
189 *(uint16
*)data
= (uint16
) i
+ 1;
190 hmac_sha256(key
, key_len
, data
, data_len
, digest_tmp
, NULL
);
191 bcopy(digest_tmp
, &digest
[(i
*SHA256_DIGEST_LENGTH
)], SHA256_DIGEST_LENGTH
);
196 sha256(const unsigned char *text
, size_t text_len
, unsigned char *digest
,
197 unsigned int digest_len
)
201 SHA256_Init(&ctx
); /* init context for 1st pass */
202 SHA256_Update(&ctx
, text
, text_len
); /* start with inner pad */
203 SHA256_Final(digest
, &ctx
); /* finish up 1st pass */
207 * Length of output is in octets rather than bits
208 * since length is always a multiple of 8
209 * output array is organized so first N octets starting from 0
210 * contains PRF output
212 * supported inputs are 16, 32, 48, 64
213 * output array must be 80 octets in size to allow for sha1 overflow
215 #define KDF_MAX_I_D_LEN 128
217 KDF(unsigned char *key
, int key_len
, unsigned char *prefix
,
218 int prefix_len
, unsigned char *data
, int data_len
,
219 unsigned char *output
, int len
)
221 unsigned char input
[KDF_MAX_I_D_LEN
]; /* concatenated input */
225 if ((prefix_len
+ data_len
+ 1) > KDF_MAX_I_D_LEN
)
228 if (prefix_len
!= 0) {
229 bcopy(prefix
, input
, prefix_len
);
230 data_offset
= prefix_len
;
232 bcopy(data
, &input
[data_offset
], data_len
);
233 total_len
= data_offset
+ data_len
;
234 hmac_sha256_n(key
, key_len
, input
, total_len
, output
, len
);